[gentoo-hardened] Questions about SELinux

Sat, 12 Nov 2016 08:45:37 -0800 

Hi there,
is this the best place to raise questions about SELinux, or would I be better trying chat? I am making a big effort to get to enforcing strict on a simple server and I am struggling a little. 


For example, I run Rsyslog and I have lots of AVCs concerning denied 
sendto's to /dev/log. The target context is usually sysadm_t, which does 
not seem right, and I also notice that Rsyslog is in the same context. I 
would expect it to be in a context involving syslog somehow. I have 
restarted the service from the sysadm_r role and it makes no difference. 
Also, I do not get asked to authenticate when starting the service, 
whereas other services require this, and, there is no entry for rsyslog 
in rc-status display despite it being installed in the default runlevel.


Example AVCs:


type=AVC msg=audit(1478957011.808:1910): avc:  denied  { sendto } for  
pid=6043 comm="smtp" path="/dev/log" 
scontext=system_u:system_r:postfix_smtp_t 
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1



type=AVC msg=audit(1478953126.199:1909): avc:  denied  { sendto } for  
pid=5949 comm="cleanup" path="/dev/log" 
scontext=system_u:system_r:postfix_cleanup_t 
tcontext=staff_u:sysadm_r:sysadm_t tclass=unix_dgram_socket permissive=1



type=AVC msg=audit(1478952507.872:1907): avc:  denied  { sendto } for  
pid=3099 comm="krb5kdc" path="/dev/log" 
scontext=system_u:system_r:krb5kdc_t tcontext=staff_u:sysadm_r:sysadm_t 
tclass=unix_dgram_socket permissive=1




There does not appear to be any specific rsyslog selinux package so I 
assume it should all be syslog-related and already in the core policy 
(although I cannot find it there). I also note that Red Hat has a page 
on setting up Rsyslog in SELinux so I feel fairly sure it should work. 
It only tells you how to change the ports, however. I am using TCP on 
port 514 but I don't think I need to do anything according to RH.



Have I missed something, done something fundamentally wrong, or just 
need to add something to stop the AVCs? Not keen on blindly fixing 
things so I want to know what I need to do and why before I do it.


Thanks in anticipation,
Robert Sharp






















					Reply via email to